Report Summary

D
82.8 / 100
Domain, IP Address & Port Number
dres.ir
(5.201.139.67:443)
Assessment Time & Date
Nov. 8, 2024, 12:36 p.m.
Assessment Duration
Seconds 310
.Based on "SSLv3" test, which shows an obsolete and insecure result, your grade has dropped to D
.Based on "TLS1" test, which shows an obsolete and insecure result, your grade has dropped to B
.Based on "TLS1_1" test, which shows an obsolete and insecure result, your grade has dropped to B
.Based on "cipherlist_LOW" test, which shows an obsolete and insecure result, your grade has dropped to B

SSL Certificate

Is the certificate still valid? YES
Certificate Issue Date 2024-05-12 09:31
Certificate Expiration Date 2025-05-12 09:31
Trust Chain Health Healthy
Certificate Issuer Certum Domain Validation CA SHA2 (Unizeto Technologies S.A. from PL)
Is the certificate valid for dres.ir? YES
This test checks if the server supports SSL‌v3 or not. SSLv3 is a broken, hence, unsafe protocol and must not be used.

HTTP Header Response

HTTP Status Code 302 Found ('/')
Strict Transport Security (HSTS) 730 days (=63072000 seconds) > 15465600 seconds
HSTS Subdomains includes subdomains
HSTS Preload domain is NOT marked for preloading
Public Key Pinning (HPKP) No support for HTTP Public Key Pinning
Server Banner nginx/1.18.0 (Ubuntu)
Banner Application No application banner found

Protocol Information

SSLv2 Your server does not support SSLv2 which is good since it is an insecure protocol.
This test checks if the server supports SSL‌v2 or not. SSLv2 is a broken, hence, unsafe protocol and must not be used.
SSLv3 Your server supports SSLv3 which is a broken protocol. You are advised to disable support for this protocol.
This test checks if the server supports SSL‌v3 or not. SSLv3 is a broken, hence, unsafe protocol and must not be used.
TLS1 Your server supports TLSv1.0. This protocol is now considered as a weak protocol. You are advised to disable support for this protocol.
This test checks if the server supports SSL‌v3 or not. TLS1.0 is an almost two-decade old protocol. This protocol is vulnerable against attacks such as BEAST and POODLE. Additionally, TLSv.10 supports weak cipher suits which further makes it an insecure protocol. Starting June 30, 2018, websites will need to stop supporting TLS 1.0 to remain PCI compliant.
TLS1.1 Your server supports TLSv1.1. This protocol is now considered a weak protocol. You are advised to start supporting more advanced protocols.
TLS1.1 does not have known major vulnerabilities. But, similar to TLS1.1 it supports weak cipher suits that are not proper for modern use.
TLS1.2 Your server supports TLSv1.2. Currently, this protocol is considered stable. But you'd better consider supporting TLS v1.3.
Currently, TLS1.2 is a stable and secure protocol to go with before TLS1.3 is officially announced as the only accepted protocol.
TLS1.3 Your server does not support TLSv1.3. We strongly advise supporting this protocol.
TLS1.3 is going to be the stable secure protocol in the near future and it is recommended that every server shift to this protocol.

Cipher Suites

NULL Your server does not support NULL ciphers.
Description: The cipher suites with a "NULL" do not offer data encryption, only integrity check. This means "not secure" for most usages. Validation Conditions: This test is passed if the certification is not expired.
aNULL Your server does not support aNULL ciphers.
Description: For a certificate to be trusted and valid it should not be expired. Validation Conditions: This test is passed if the certification is not expired.
EXPORT Your server does not support EXPORT ciphers.
Description: The cipher suites with "EXPORT" are, by design, weak. They are encrypted, but only with keys small enough to be cracked with even amateur hardware (say, a basic home PC -- symmetric encryption relying on 40-bit keys). These suites were defined to comply with the US export rules on cryptographic systems, rules which were quite strict before 2000. Nowadays, these restrictions have been lifted and there is little point in supporting the "EXPORT" cipher suites. Validation Conditions: This test is passed if the server does not support EXPORT ciphers.
LOW Your server supports LOW ciphers which are considered insecure ciphers.
Description: For a certificate to be trusted and valid it should not be expired. Validation Conditions: This test is passed if the certification is not expired.
3DES_IDEA Your server supports 3DES ciphers which is considered an insecure cipher.
Description: For a certificate to be trusted and valid it should not be expired. Validation Conditions: This test is passed if the certification is not expired.
AVERAGE Your server supports AVERAGE ciphers which are considered insecure ciphers.
Description: For a certificate to be trusted and valid it should not be expired. Validation Conditions: This test is passed if the certification is not expired.
Strong Your server support strong ciphers.
Description: For a certificate to be trusted and valid it should not be expired. Validation Conditions: This test is passed if the certification is not expired.

PFS Information

PFS‌ Overview Your server supports Perfect Forward Secrecy (PFS)
Description: Perfect Forward Secrecy guarantees different encryption keys per session. Thus, if a session key is compromised, other previously recorded sessions (by attacker) will be safe. Validation Conditions: This test is passed if your server supports robust perfect forward secrecy.
Ciphers that support PFS. List of ciphers that support perfect forward secrecy (PFS).
Description: This test derives the ciphers that your server uses and depicts the ones that support perfect forward secrecy. ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-SEED-SHA DHE-RSA-CAMELLIA128-SHA
Analysis of ECDH‌ Curves Your server uses strong ECDHE keys for key exchange.
Description: Elliptic-curve Diffie–Hellman (ECDH) is a key agreement protocol that allows two parties, each having an elliptic-curve public–private key pair, to establish a shared secret over an insecure channel. This shared secret may be directly used as a key, or to derive another key. The key, or the derived key, can then be used to encrypt subsequent communications using a symmetric-key cipher. It is a variant of the Diffie–Hellman protocol using elliptic-curve cryptography. Validation Conditions: This test will pass if ECDH is correctly implemented.
Analysis of the strength of Diffie-Hellman Keys Your server uses strong Diffie-Hellman keys for key exchange.
Description: Diffie–Hellman key exchange is a method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols. Diffie–Hellman is used to secure a variety of Internet services. However, research published in October 2015 suggests that the parameters in use for many DH Internet applications at that time are not strong enough to prevent compromise by very well-funded attackers, such as large governments. Validation Conditions: This test will pass if the keys are of standard strength.

Vulnerabilities

Analyzing Heartbleed Vulnerability Your connection is immune against heartbleed attack.
Description: 'Heartbleed' was a critical vulnerability in SSL which would enable an adversary to retrieve sensitive information from the corresponding server. Validation Conditions: This test passes if the server is not vulnerable to this attack.
Analyzing CCS Vulnerability Your connection is immune against CCS attack.
Description: OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of 'ChangeCipherSpec' messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the 'CCS Injection' vulnerability.
Analyzing Ticketbleed Vulnerability Your connection is immune against ticketbleed attack.
Description: 'The Ticketbleed-Bug' was a programming error in enterprise-level hardware. This bug allows a remote attacker to extract up to 31 bytes of uninitialized memory at a time. This memory can potentially contain key material or sensitive data from other connections. Validation Conditions: This test passes if the server is not vulnerable to 'ticketbleed-bug'.

Cipher Suite Assessments

SSLv3
  1. TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
  1. TLS-DHE-RSA-WITH-AES-256-CBC-SHA
  1. TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
  1. TLS-RSA-WITH-AES-256-CBC-SHA
  1. TLS-RSA-WITH-CAMELLIA-256-CBC-SHA
  1. TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
  1. TLS-DHE-RSA-WITH-AES-128-CBC-SHA
  1. TLS-DHE-RSA-WITH-SEED-CBC-SHA
  1. TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
  1. TLS-RSA-WITH-AES-128-CBC-SHA
  1. TLS-RSA-WITH-SEED-CBC-SHA
  1. TLS-RSA-WITH-CAMELLIA-128-CBC-SHA
  1. TLS-RSA-WITH-IDEA-CBC-SHA
  1. TLS-ECDHE-RSA-WITH-RC4-128-SHA
  1. TLS-RSA-WITH-RC4-128-SHA
  1. TLS-RSA-WITH-RC4-128-MD5
  1. TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA
  1. TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
  1. TLS-RSA-WITH-3DES-EDE-CBC-SHA
TLS1.2

Browser Simulations

Client Cipher Suite Protocol
ANDROID-442 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
ANDROID-500 TLSv1.2 ECDHE-RSA-AES256-SHA
ANDROID-60 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
ANDROID-70 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
ANDROID-81 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
ANDROID-90 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
ANDROID-X TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
CHROME-74-WIN10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
CHROME-79-WIN10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
FIREFOX-66-WIN81 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
FIREFOX-71-WIN10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
IE-6-XP SSLv3
IE-8-WIN7 TLSv1.0 AES128-SHA
IE-8-XP TLSv1.0 RC4-MD5
IE-11-WIN7 TLSv1.2 ECDHE-RSA-AES256-SHA384
IE-11-WIN81 TLSv1.2 ECDHE-RSA-AES256-SHA384
IE-11-WINPHONE81 TLSv1.2 AES128-SHA256
IE-11-WIN10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
EDGE-15-WIN10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
EDGE-17-WIN10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
OPERA-66-WIN10 N/A No Connection
SCANPROBLEM N/A TCP